[TF2] Allow CVars To Be Aliased Again Only On Dedicated Servers

[Marioiscool246]

I run a TF2 server with sv_cheats turned on. Previously, I used alias to alias things like the rcon_password cvar to prevent it from being changed by unauthorized users. I cannot do this anymore unless I patch the engine to remove the new checks. Please consider lifting this restriction to only the dedicated server as I understand that the change was made to fix some sort of cvar based exploit.

[kisak-valve]

(Non-authoritative) I've read this a couple times and it doesn't make sense to me. What exactly was the previous bad behavior, how was it mitigated before, and why wouldn't the recent change make it harder to cause that type of problem?

[Marioiscool246]

Before the Summer Update, you could use the alias command on CVars to prevent a certain ConVar from being changed or to prevent ConCommands from executing.

Since my server has sv_cheats turned on, bad actors with the knowledge to do so can easily change the rcon password while connected to gain persistent access to the server console via rcon until a server restart. This alias trick prevents that from happening as it "redirects" the rcon_password command to basically a null string to protect the rcon_password from being overwritten. Since the recent change blocked the ability to use alias on existing ConVars and ConCommands, I can no longer use this trick, leaving the server vulnerable.

I have it set up in my server cfg to mitigate this issue like this: rcon_password // set rcon password alias rcon_password "" // prevent it from being changed

I know the reason for this issue might be niche, but there's more than one server alongside mine that could use and were probably using this trick.

If it still doesn't make any sense, I can send a video to help show what the purpose of this issue.